Moxa UC-8100A-ME-T-LX Setup
This details steps to set up a Moxa UC-8100A-ME-T-LX for MQTT Transmission for reliable and consistent communications.
Standard Setup
Firmware Updates
To check the firmware of the Moxa, run the following commands via SSH (login is moxa/moxa):
kversion -aIf the device has the Custom-QTC firmware loaded, it most likely has ThingWorks installed which allows configuration through LAN 2 on IP 192.168.4.127. LAN1 is configured as the WAN port and by default is a static IP at 192.168.3.127. Any network or serial port configuration done via SSH is overwritten by the Web interface on every reboot. Only Ignition installation needs done via the SSH interface.
Upgrade the firmware using the following commands if using the non-custom firmware image:
sudo apt update
sudo apt install -y uc8100a-me-base-system
sudo rebootSoftware Updates
Upgrade the other software on the unit after it reboots with these commands:
sudo apt update
sudo apt upgrade -yNetwork Configuration
If using a model without ThingWorks, configuration of network ports is done via the command line (SSH).
To change the network configuration, run the following command:
sudo nano /etc/network/interfacesBy default the portion of the configuration for the network ports will be as follows:
iface eth0 inet static
        address 192.168.3.127
        network 192.168.3.0
        netmask 255.255.255.0
        broadcast 192.168.3.255
iface eth1 inet static
        address 192.168.4.127
        network 192.168.4.0
        netmask 255.255.255.0
        broadcast 192.168.4.255
To change the static IP to a different static IP and add a gateway modify it as follows (adjust addresses as necessary):
iface eth0 inet static
        address 10.10.4.13
        network 10.10.4.0
        netmask 255.255.255.0
        gateway 10.10.4.1
        broadcast 10.10.4.255
iface eth1 inet static
        address 192.168.4.127
        network 192.168.4.0
        netmask 255.255.255.0
        broadcast 192.168.4.255
To set up the top ethernet port for DHCP, modify the file as follows:
iface eth0 inet dhcp
#        address 192.168.3.127
#        network 192.168.3.0
#        netmask 255.255.255.0
#        broadcast 192.168.3.255
iface eth1 inet static
        address 192.168.4.127
        network 192.168.4.0
        netmask 255.255.255.0
        broadcast 192.168.4.255
If you need to renew a DHCP address, run the following command:
sudo dhclient eth0The "eth0" restricts it to only doing this on interface "eth0"
To do a thorough release and renew, run these 2 commands instead:
sudo dhclient -r eth0
sudo dhclient eth0To configure DNS, set up the DNS servers by editing the /etc/resolv.conf file:
sudo nano /etc/resolv.confModify the file to look like below to use Cloudflare and Google DNS servers, or modify to use your own (add or remove lines as necessary):
nameserver 1.1.1.1
nameserver 8.8.8.8Serial Port Communications
For checking the serial port configuration, run the following commands to view serial ports 1 and 2 current modes:
sudo mx-uart-ctl -p 0sudo mx-uart-ctl -p 1For setting up the serial port configuration, run the following commands to set the ports up for RS-485 2-Wire:
sudo mx-uart-ctl -p 0 -m 1sudo mx-uart-ctl -p 1 -m 1For other modes, see the following table:
| Mode # | Operation Mode | 
| (blank) | Display Current Mode | 
| 0 | RS-232 | 
| 1 | RS-485 2-Wire (Half Duplex) | 
| 2 | RS-422/RS-485 4-Wire (Full Duplex) | 
To get the configured port modes to set themselves at boot, edit the /etc/rc.local file:
sudo nano /etc/rc.localNow, add the following lines just before the "exit 0" line:
# Set the serial ports to RS-485 2-Wire
sudo mx-uart-ctl -p 0 -m 1
sudo mx-uart-ctl -p 1 -m 1Time Synchronization
On the Moxa's it seems they have a bug that doesn't allow the NTP service to keep correct time on the unit.
If you run the following command and it doesn't show the service is running and gives a warning or error, it's most likely broken:
sudo service systemd-timesyncd statusThis can be fixed by removing executable permissions on the /usr/sbin/ntpd file with the following command:
sudo chmod -x /usr/sbin/ntpdThen you need to either reboot or start the time synchronization service with the following command:
sudo service systemd-timesyncd startTo set the timezone to Central time, run the following commands:
sudo rm /etc/localtime
sudo ln -s /usr/share/zoneinfo/US/Central /etc/localtimeAdvanced Setup
IPTables Firewall for protecting SSH
Create firewall rules for our custom ICS-INPUT path:
sudo nano /etc/iptables/ics-up.rulesYour file should look something like this:
*filter
-N ICS-INPUT
-A INPUT -j ICS-INPUT
-A ICS-INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A ICS-INPUT -i eth0 -p tcp --dport 22:22 -j REJECT
-A ICS-INPUT -j RETURN
COMMITCreate firewall rules for our custom ICS-INPUT path:
sudo nano /etc/iptables/up.rulesYour file should look something like this:
*filter
-N ICS-INPUT
-A INPUT -j ICS-INPUT
-A ICS-INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A ICS-INPUT -i eth0 -p tcp --dport 22:22 -j REJECT
-A ICS-INPUT -j RETURN
COMMITFinally, modifyto themake rules.v4sure network ports connecting and disconnecting keep SSH blocked add a file to setthe upif-pre-up.d folder to make sure the ICS-INPUTiptable pathrules inare itadded asjust well:before a network port comes up:
sudo nano /etc/iptables/rules.v4network/if-pre-up.d/iptablesYour file should look something like this:this (modify for your selected TCP/UDP port combinations):
##!/bin/sh
Generated/sbin/iptables-restore by< iptables-save/etc/iptables/ics-up.rulesNow, onmake Thuthe Decfile 9executable:
sudo 2021chmod *mangle+x :PREROUTING ACCEPT [17503:2004557]
:INPUT ACCEPT [17278:1952501]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16267:1770424]
:POSTROUTING ACCEPT [16267:1770424]
COMMIT
# Completed on Thu Dec  9 10:58:41 2021
# Generated by iptables-save v1.6.0 on Thu Dec  9 10:58:41 2021
*nat
:PREROUTING ACCEPT [720:123929]
:INPUT ACCEPT [485:71353]
:OUTPUT ACCEPT [103:6698]
:POSTROUTING ACCEPT [93:6049]
COMMIT
# Completed on Thu Dec  9 10:58:41 2021
# Generated by iptables-save v1.6.0 on Thu Dec  9 10:58:41 2021
*filter
:INPUT ACCEPT [1114:106577]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [981:90336]
:ICS-INPUT - [0:0]
-A INPUT -j ICS-INPUT
-A ICS-INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A ICS-INPUT -i eth0 -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
-A ICS-INPUT -j RETURN
COMMIT
# Completed on Thu Dec  9 10:58:41 2021/etc/network/if-pre-up.d/iptablesPort Knocking
Install KnockD with the following command:
sudo apt install -y knockdEnable the service with this command:
sudo systemctl enable knockdEnable running KnockD by editing the following file and setting START_KNOCKD=1 and that the Ethernet port for port knocking is specified:
sudo nano /etc/default/knockdYour file should look something like this:
################################################
#
# knockd's default file, for generic sys config
#
################################################
# control if we start knockd at init or not
# 1 = start
# anything else = don't start
#
# PLEASE EDIT /etc/knockd.conf BEFORE ENABLING
START_KNOCKD=1
# command line options
KNOCKD_OPTS="-i eth0"Next, edit the port knocking configuration as follows:
sudo nano /etc/knockd.confYour file should look something like this (modify for your selected TCP/UDP port combinations):
[options]
        UseSyslog
[SSH]
        sequence       = 54970:udp,33520:udp,12547:udp,45264:udp,23685:udp
        seq_timeout    = 15
        tcpflags       = syn
        start_command   = /sbin/iptables -I ICS-INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        cmd_timeout     = 30
        stop_command    = /sbin/iptables -D ICS-INPUT -s %IP% -p tcp --dport 22 -j ACCEPTFinally, to make sure network ports connecting and disconnecting don't break port knocking add a file to the if-up.d folder to restart knockd when a network port comes up:
sudo nano /etc/network/if-up.d/knockdYour file should look something like this (modify for your selected TCP/UDP port combinations):
#!/bin/sh
systemctl restart knockdNow, make the file executable:
sudo chmod +x /etc/network/if-up.d/knockd
